Authentication may fail with "401.3" Error if Web site's "Host Header" differs from server's NetBIOS name


When you are using Internet Explorer on a Windows 2000 or later client and browsing to a Web site where the host header name is different from the NetBIOS name of the computer, Integrated Authentication may fail with an HTTP error 401.1, error 401.2, or error 401.3.

Note Internet Explorer clients that are using Windows NT 4 or Windows 95 or Windows 98 will not fail. Also, other authentication schemes will work.

Microsoft ASP.NET users may see an error message that is similar to the following:

Server Error in '<application name>' Application.

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Description: An unhandled exception occurred during the execution of the current web request.
Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.


During Kerberos authentication, a domain controller that is running Windows 2000 or Windows Server 2003 grants tickets based on the Server Principle Name (SPN) of the Internet Information Services (IIS) Web server. If the host header (Web site name) being requested differs from the NetBIOS name of the IIS 5.0 computer, Kerberos authentication will fail, causing 401.3 errors on the client.

Clients using Windows NT 4 or Windows 95 or Windows 98 succeed because they do not natively support Kerberos and thus use Windows NT Challenge/Response (NTLM) authentication.


  • If you are using Kerberos:

    Use the SetSPN.exe utility, from the Windows 2000 Resource Kit, to register any host header names of Web sites that are configured to use "Integrated" authentication and will be accessed from Windows 2000 clients. If your Web server is running Microsoft Windows Server 2003 and IIS 6, download the Setspn.exe tool from the following location:
    970536 Setspn.exe support tool update for Windows Server 2003

    For example:

    Server name:
    Host header:
    Use the SetSPN command to register the SPN:
    SetSPN -S HTTP/ webserver1
    NOTE: HOST is a default service type that can be used if HTTP is not working in the registered SPN. As an example, you can use the following command to register the SPN to a default service type:

    SetSPN -S HOST/ webserver1
  • If you are not using Kerberos:

    Remove Kerberos from the list of authentication providers in Internet Information Services 5.0 by using the following command:
    cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"
NOTE: Adsutil.vbs must be run by a member of the local Admins group on the Internet Information Services computer.

More Information

A fresh install of Internet Information Services 5.0 with Integrated Authentication enabled will attempt to authenticate clients with Kerberos first. If a client does not support Kerberos, IIS will send that client an "Authenticate: NTLM" header, forcing it to authenticate using Windows NT Challenge/Response.


For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

217098 Basic overview of Kerberos authentication in Windows 2000

266080 Answers to frequently asked Kerberos questions

215383 How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication

248350 Kerberos authentication fails after upgrading from IIS 4.0 to IIS 5.0


Article ID: 294382 - Last Review: Dec 11, 2009 - Revision: 1